topic Re: Hello, in Network Security

No matching global

ASA.M.Oss — Tue, 12 Mar 2019 07:48:05 GMT

I have an outdate ASA 5510 with 8.0 OS.

With the old command set, I created inside, DMZ and outside. The DMZ provides a web server host az 172.28.0.15, the translation from outside to DMZ works very well.

The problem is the access from the inside interface to the web server at the DMZ. The ASDM packet tracer comes through until NAT, then the tool generates the following message:

"nat (inside) 101 192.168.10.0 255.255.255.0 match ip inside 192.168.10.0 255.255.255.0 DMZ any dynamic translation to pool 101 (No matching global) translate_hits = 15, untranslate_hits = 0" statement. Unfortunately, I have no idea how to resolve this...

Here is my config, where I would appreciate any hint:

interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 172.28.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0 (not true, just as example)
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list out2dmz extended permit tcp any any eq www
access-list out2dmz extended permit tcp any any eq https

global (outside) 101 interface

nat (inside) 101 192.168.10.0 255.255.255.0
nat (DMZ) 101 172.28.0.0 255.255.255.0
static (DMZ,outside) tcp interface www 172.28.0.15 www netmask 255.255.255.255
static (DMZ,outside) tcp interface https 172.28.0.15 https netmask 255.255.255.255
access-group out2dmz in interface outside
route outside 0.0.0.0 0.0.0.0 <external IP> 1

Hello,

Kornelia Gutierrez — Wed, 25 May 2016 17:11:47 GMT

Hello,

The problem you are getting is caused by nat control which is a feature in old code as 8.0 this means that basically you have to have a nat rule for everything, the no matching global means that although you have nat ( inside) x statement you do not have a matching global (dmz) for the dmz to make a translation, an easy way to fix this is creating a static nat for inside and dmz like the following:

Static(inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Static(DMZ,inside) 172.28.0.0 172.28.0.0 netmask 255.255.255.0

Hope this helps.

Hi Kornelia,

ASA.M.Oss — Thu, 26 May 2016 08:39:55 GMT

Hi Kornelia,

thanks a lot for working on it. I tried your static entries, but as soon as I wr mem the updated configuration, the Internet access does not work anymore. Seems like all traffic is then sent to the DMZ interface?

Where did I make the mistake?

Thanks for supporting,
Mario

Hello Mario,

Kornelia Gutierrez — Fri, 27 May 2016 03:09:00 GMT

Hello Mario,

That is odd, the two nat statements that I provided should only affect the traffic between the inside and DMZ interface and not the internet traffic. You mention that if you save the configuration the internet breaks, what happens if you do not save it?

The following nat, that was already in place takes care of the internet traffic:

global (outside) 101 interface

nat (inside) 101 192.168.10.0 255.255.255.0
nat (DMZ) 101 172.28.0.0 255.255.255.0

The other two nat rules affect the traffic between the Inside and DMZ server

Static(inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Static(DMZ,inside) 172.28.0.0 172.28.0.0 netmask 255.255.255.0

Could you kindly please run the following two packet tracers and share the outputs?

packet-tracer input inside tcp 192.168.10.100 1026 8.8.8.8 80

packet-tracer input DMZ tcp 172.28.0.16 1028 8.8.8.8 80

packet-tracer input inside tcp 192.168.10.100 1025 172.28.0.15 80

Re: Hello Mario,

jroy777 — Tue, 07 Apr 2020 19:17:33 GMT

Re: Hello,

jroy777 — Tue, 07 Apr 2020 19:28:36 GMT